fix(auth): Cognito additional auth (#553)

Author: bboure

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node: [16]
+        node: [16, 18]
     steps:
       - uses: actions/setup-node@v3
         with:

src/__tests__/api.test.ts

@@ -74,6 +74,14 @@ describe('Api', () => {
     it('should compile the Api Resource with additional auths', () => {
       const api = new Api(
         given.appSyncConfig({
+          authentication: {
+            type: 'AMAZON_COGNITO_USER_POOLS',
+            config: {
+              userPoolId: 'pool123',
+              awsRegion: 'us-east-1',
+              appIdClientRegex: '[a-z]',
+            },
+          },
           additionalAuthentications: [
             {
               type: 'AMAZON_COGNITO_USER_POOLS',
@@ -117,7 +125,6 @@ describe('Api', () => {
                   "UserPoolConfig": Object {
                     "AppIdClientRegex": "[a-z]",
                     "AwsRegion": "us-east-1",
-                    "DefaultAction": "ALLOW",
                     "UserPoolId": "pool123",
                   },
                 },
@@ -147,14 +154,20 @@ describe('Api', () => {
                   },
                 },
               ],
-              "AuthenticationType": "API_KEY",
+              "AuthenticationType": "AMAZON_COGNITO_USER_POOLS",
               "Name": "MyApi",
               "Tags": Array [
                 Object {
                   "Key": "stage",
                   "Value": "Dev",
                 },
               ],
+              "UserPoolConfig": Object {
+                "AppIdClientRegex": "[a-z]",
+                "AwsRegion": "us-east-1",
+                "DefaultAction": "ALLOW",
+                "UserPoolId": "pool123",
+              },
               "XrayEnabled": false,
             },
             "Type": "AWS::AppSync::GraphQLApi",

src/resources/Api.ts

@@ -88,7 +88,7 @@ export class Api {
       merge(endpointResource.Properties, {
         AdditionalAuthenticationProviders:
           this.config.additionalAuthentications?.map((provider) =>
-            this.compileAuthenticationProvider(provider),
+            this.compileAuthenticationProvider(provider, true),
           ),
       });
     }
@@ -411,14 +411,18 @@ export class Api {
     };
   }
 
-  getUserPoolConfig(auth: CognitoAuth) {
+  getUserPoolConfig(auth: CognitoAuth, isAdditionalAuth = false) {
     const userPoolConfig = {
       AwsRegion: auth.config.awsRegion || { 'Fn::Sub': '${AWS::Region}' },
       UserPoolId: auth.config.userPoolId,
       AppIdClientRegex: auth.config.appIdClientRegex,
-      // Default action is the one passed in the config
-      // or 'ALLOW'
-      DefaultAction: auth.config.defaultAction || 'ALLOW',
+      ...(!isAdditionalAuth
+        ? {
+            // Default action is the one passed in the config
+            // or 'ALLOW'
+            DefaultAction: auth.config.defaultAction || 'ALLOW',
+          }
+        : {}),
     };
 
     return userPoolConfig;
@@ -468,14 +472,16 @@ export class Api {
     }));
   }
 
-  compileAuthenticationProvider(provider: Auth) {
+  compileAuthenticationProvider(provider: Auth, isAdditionalAuth = false) {
     const { type } = provider;
     const authPrivider = {
       AuthenticationType: type,
     };
 
     if (type === 'AMAZON_COGNITO_USER_POOLS') {
-      merge(authPrivider, { UserPoolConfig: this.getUserPoolConfig(provider) });
+      merge(authPrivider, {
+        UserPoolConfig: this.getUserPoolConfig(provider, isAdditionalAuth),
+      });
     } else if (type === 'OPENID_CONNECT') {
       merge(authPrivider, {
         OpenIDConnectConfig: this.getOpenIDConnectConfig(provider),